CVE-2019-25761

Received Received - Intake

SQL Injection in JoomCRM Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the deal_id parameter. Attackers can send GET requests to index.php with option=com_joomcrm&view=contacts and inject SQL code in the deal_id parameter to extract sensitive database information including table names and schemas.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2019-25761

EUVD

EUVD-2019-20197

Affected Vendors & Products

Vendor	Product	Version / Range
joomboost	joomcrm	to 1.1.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

Joomla! Component JoomCRM version 1.1.1 contains a high-severity SQL injection vulnerability identified as CVE-2019-25761. This vulnerability allows authenticated attackers to execute arbitrary SQL commands by injecting malicious code through the deal_id parameter in a GET request to index.php with option=com_joomcrm&view=contacts.

By exploiting this flaw, attackers can extract sensitive database information such as table names and schemas, due to improper input validation in the component.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive database information, including table names and schemas, which can compromise the confidentiality of your data.

Attackers who exploit this flaw can execute arbitrary SQL queries, potentially leading to data leakage or manipulation.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the Joomla! site, specifically targeting requests to index.php with parameters option=com_joomcrm and view=contacts where the deal_id parameter is present.

To detect potential exploitation attempts, you can look for suspicious SQL injection patterns in the deal_id parameter within web server logs or by using web application firewall (WAF) rules.

Example commands to detect such attempts include using grep on web server logs to find suspicious requests:

grep "option=com_joomcrm&view=contacts" /var/log/apache2/access.log | grep "deal_id="
grep -i "union select" /var/log/apache2/access.log

Additionally, tools like sqlmap can be used to test the vulnerability by targeting the deal_id parameter with crafted payloads to confirm if SQL injection is possible.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable component to only trusted authenticated users, as the vulnerability requires authentication.

Applying input validation and sanitization on the deal_id parameter to prevent SQL injection is critical.

Updating JoomCRM to a version that patches this vulnerability is strongly recommended.

If an update is not immediately available, consider disabling or removing the vulnerable JoomCRM component until a fix is applied.

Implementing Web Application Firewall (WAF) rules to block SQL injection attempts targeting the deal_id parameter can help reduce risk.

Compliance Impact

The SQL injection vulnerability in Joomla! Component JoomCRM 1.1.1 allows attackers to extract sensitive database information, including table names and schemas. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require the safeguarding of personal and sensitive information against unauthorized access and breaches.

Failure to address this vulnerability may result in exposure of confidential data, potentially causing non-compliance with these standards due to inadequate protection measures and risk of data breaches.

Hi! I’m here to help you understand CVE-2019-25761. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25761

SQL Injection in JoomCRM Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart